Backdoor Uses FTP Server as C&C

A newly detailed backdoor is using an FTP server for command and control (C&C) purposes, Trend Micro security researchers warn.

Dubbed SYSCON, the malware is being distributed through malicious documents containing macros. All of these documents mention North Korea and appear to be targeted at individuals connected to the Red Cross and the World Health Organization.

The use of an FTP server for C&C is rather unusual for a botnet, thus possibly slipping unnoticed by administrators and researchers. While this is a clear advantage, the fact that it leaves traffic open for monitoring is a great downside.

Trend Micro also discovered that SYSCON’s authors made a coding mistake that resulted in the backdoor sometimes executing the wrong commands.

The documents carrying the malware feature two long strings, with Base64 encoding using a custom alphabet, a technique used to deliver the Sanny malware family in late 2012. Sanny too leveraged relatively unusual techniques for C&C, had a similar structure, and used an identical encoding key, which could suggest that the same threat actor is behind the new backdoor.

The Base64 strings are cabinet files containing the 32-bit and 64-bit versions of the malware, with the appropriate one (based on OS) being extracted into the %Temp% folder, after which one of the files in the cabinet (uacme.exe) is executed.

The executed file determines the operating system version and either directly executes a BAT file or injects a DLL into the taskhost(ex) process to execute the BAT without triggering a UAC prompt.

The BAT file was designed to inject the main malware module and the configuration file into %Windows%\System32, and to achieve persistence. For that, it configures a new COMSysApp service, adds the service parameters into the registry, and starts the service. It also deletes all previously created files in the %Temp% directory.

After execution, the malware gets the computer name and uses it as an identifier, then logs into the FTP server using credentials stored in the configuration file. The attackers use the byethost free FTP service provider, the researchers discovered.

On the FTP server, commands are stored in .txt files, either meant to be processed by all bots or by specific victim computers. After processing a command, the backdoor lists all currently running processes, then sends the data to the server. Transmitted files are generally zipped and encoded with the same custom Base64 encoding used earlier.

Supported commands include: copy file to temp.ini, pack it to temp.zip, encode and upload; pack file to temp.zip, encode and upload; delete config file, write string to the new config file; put file to the given path on infected system; execute command but don’t report back; and execute downloaded file, among others.

The command processing loop contains what appears to be a typo or mistake, the researchers say. They explain that, while the malware treats the commands as strings in wide character format, a parameter in one of the functions has an incorrect file name, thus preventing the process from executing.

“It is interesting to see something atypical, like C&C communication via FTP. While the malware authors probably used this method in an attempt to avoid security solutions inspection and/or blocking, they may not have realized this would make it very easy to monitor their actions and victims’ data,” Trend Micro concludes.